Many computing systems provide various features to enforce security. Enforcing security includes evaluating and enforcing authentication and authorization. Computing devices employ authentication to securely identify users. A computing device generally employs an authentication component to determine who a user is and whether the user is really who they claim to be. A concept related to authentication is authorization. Computing systems employ authorization to determine the level of access for the authenticated user. For example, a computing system may evaluate authorization rules to determine what features or resources an authenticated user should be provided access to (e.g., to access, add, create, delete, modify, etc.) Once a computing system authenticates a user, the computing system may provide various features to the user based on that user's authorization. The computing system can employ an authorization component to determine the appropriate level of authorization, such as by enforcing authorization rules.
Computing systems conventionally enforce security actively. Active authentication generally includes receiving authentication information directly from a user who is to be authenticated. As examples, users may provide login credentials (e.g., user id and/or password), place a card key or other device proximate to a user, or take some other active step to identify and/or authenticate themselves. Thus, active authentication generally involves verifying a “secret” that is shared between the user and the computing system or validating a user's response to a challenge. Active authorization includes enforcing rules based on the authentication.
However, authentication can sometimes get in the way of authorization when some features or transactions provided by a computing system require a different “level” of authentication than other features. As an example, when the computing system is a mobile telephone, a user may require a first level of authentication to place local phone calls and a second, different level of authentication to place long distance phone calls or conduct an electronic commerce transaction. As another example, the user may need a third level of authentication to browse public Internet websites but a fourth, different level of authentication to send or receive electronic mail.
Although features provided by a computing system can be divided into different categories, such divisions are ineffective when, e.g., the user is not yet authenticated, authenticating a user actively is unnecessary, or a feature requires a different level of authorization than the level that can be provided to the authenticated user.